- using any CORS configuration?
If Eve sets her CORS header to Access-Control-Allow-Origin "victor.alt" Victor can verify the contents of the HTML it retrieves and verify all referenced scripts as well.
- while allowing read-only access?
- while limiting the the parent window's access to the content of the iFrame?
Neither of these exist, an iFrame cannot read the contents of another iFrame unless they are on the same domain.
However, you could push any user information you want to keep private from Victor into a sandboxed iFrame and using window.postMessage to communicate between frames. Victor can monitor the activity between the two to ensure that no information is being leaked.
